Use this SP configuration guide only if you want to install a Shibboleth Service Provider for the SWITCHaai Federation or the AAI Test Federation, operated by SWITCH.
In all other cases, follow the installation and configuration instructions on the official Shibboleth Wiki of the Shibboleth Consortium or the deployment instructions of the federation into which the Service Provider should be integrated.

Introduction

This guide describes how to configure the Shibboleth Service Provider (SP) 2.6 for usage in the SWITCHaai or AAI Test federations.
Only the configuration of the Service Provider is covered. If the Service Provider has not yet been installed, first follow the Installation Guide. If you have an existing Service Provider that used an older version of Shibboleth, you might perform a clean configuration using this guide or alternatively, you could also try to upgrade the old configuration using to the Service Provider configuration migration guide.

Best Current Practices (BCP) for operating a SWITCHaai Service Provider

Before installing and configuring a Service Provider, we recommend to have a look at chapter 4. Operation of the Current Best Practices document. It makes useful recommendations regarding the security, availability and general operation of the Service Provider.

Prerequisites

Service Provider Installed

For the following steps a Shibboleth Service Provider (SP) 2.6 must be installed on your system. If you have not yet installed the Service Provider, please have a look at the Service Provider 2.6 Installation Guide first.

Sudo

We recommend installing sudo for commands that require root privileges.

SSL enabled for Apache

It is strongly recommended to have the Apache SSL module enabled and configured to support HTTPS. By default the Shibboleth messages containing user attributes are encrypted. Therefore, they can also be sent via the insecure HTTP protocol. However, successfully authenticated Shibboleth users accessing a web page via HTTP are prone to session hijacking attacks.

SSL enabled for IIS

The IIS website should have an appropriate x509 certificate installed and SSL enabled.

Requirements

The following software must be installed in order to operate a Shibboleth Service Provider.

Root access

For the following steps it must be possible to execute commands as user with root privileges, e.g. as root user or with the recommended sudo. Ensure that you have root privileges on the system.

OpenSSL

For verifying certificate fingerprints or for certificate inspection OpenSSL is required.

Note:
The convention is to use an entityID of the form https://#service host name#/shibboleth. In cases where the service host name (e.g. elearning.example.org) is different from the system name (e.g. web-host27.example.org), always use the service host name.

Filesystem path to the configuration directory:

Filesystem path to the X.509 key used by Shibboleth:

Filesystem path to the X.509 certificate used by Shibboleth:

Default URL to send the user after authentication:
Ideally, this is a Shibboleth-protected page that sets up the user session.

Support contact email address of the resource:
Will be shown in error Shibboleth messages

Advanced Configuration Options

Enable Metadata Attributes Support:

Configure Service Provider to extract public attributes from metadata. More ...

Extracted Metadata Attributes Info

Since version 2.5 and newer, the Shibboleth Service Provider can extract additional information about the Identity Provider of the current user from the SAML2 metadata files. This information then is made available to web applications like any other AAI attribute.
In particular the metadata attributes typically include for SWITCHaai Identity Providers:

organization display name (available for all SWITCHaai Identity Providers)

Enabling the SWITCHtoolbox option allows a Shibboleth Service Provider to automatically querying group attributes from the SWITCHtoolbox. This option makes sense to enable if the service wants to make use of group attributes for access control and authorization. The Service Provider will get group and subgroup attributes from the SWITCHtoolbox if it was registered as a SWITCHtoolbox Tool and if a user is member in at least one group that added your service. Enabling this option ensures that the isMemberOf attribute is only accepted when retrieved from the SWITCHtoolbox.
Please note that you must register your service as a tool before getting group attributes. For further information and assistance, please contact the SWITCHtoolbox support.

Enabling the Interfederation/eduGAIN option allows a service protected by the Service Provider to be accessed not only by SWITCHaai or AAI Test federation users but users by users from foreign SAML2 identity federations. Interfederation support is in particular enabled via the eduGAIN interfederation service. Before enabling this option, please first have a look at the AAI Interfederation page and contact the AAI team for assistance.
Enabling this option is therefore recommended if the service shall also be used by users from non-Swiss organisations.Interfederation support is currently not available to Federation Partners.

Examine and Update Setup

After completing and verifying the setup information above, click on the button "Update Configuration Guide with above Data"

Quick Configuration Files Download

If you are in a hurry and know the whole setup process, you can download all configuration files directly and store them in /etc/shibboleth:

X.509 certificate for SAML message signing/encrypting

The Shibboleth daemon (shibd) needs an X.509 certificate for signing and encrypting SAML messages. SWITCH recommends to use a dedicated self-signed certificate, which is independently configured from the SSL/TLS certificate used by the Web server.
The web server can use any certificate for providing TLS/SSL. But the Shibboleth Service Provider also needs a certificate for signing and decrypting messages. The Service Provider can either use the same certificate as is used for the web server (provided it meets the AAI X.509 Certificate Requirements) or one can create an independent self-signed certificate for usage by the Shibboleth Service Provider only. SWITCH recommends to use a self-signed certificate for usage by the Shibboleth Service Provider.

Open the shibboleth2.xml and review the Shibboleth configuration. You might want to change some settings for more advanced use cases like defining multiple Shibboleth applications.If you are using IIS with multiple sites, make sure to review the <Site> element and its id value. Shibboleth requires the site ID value. The site id for the default IIS Site is one 1, which is also the default value used in the Shibboleth configuration. For all other Sites, the site ID can be seen via the Site Advanced Settings

There are two more federation-specific files that need to be deployed for the proper attribute handling in the federation.

Download Attribute Map

Use curl (or your web browser) to download the attribute-map.xml file to the configuration directory:

The attribute map defines which attributes the Service Provider will be able to handle and under which name they are made available to a web application.

Note

This backwards-compatible attribute-map.xml should no longer be used since it is not compatible with Shibboleth Service Provider 3.x. This file includes the deprecated attribute aliases. It allows that an attribute is available under two names, a short name (recommended) and a legacy attribute name usually starting with Shib-. This version should only be used for existing Service Provider as a temporary measure before an application is adapted to use short attribute names. Adapt your applications to use the short attribute names, e.g. mail instead of Shib-InetOrgPerson-mail. Therefore, use this last chance to adapt your applications now!

Download Attribute Policy

Use curl (or your web browser) to download the attribute-policy.xml file to the configuration directory:

The attribute policy defines which attributes and which values the Service Provider will accept from which Identity Provider. Attributes and values that don't match the rules are filtered out by the Service Provider.

Metadata Validation

In order to validate the federation metadata files downloaded by the Service Provider

Download Root Certificate

Open a terminal window and use curl (or your web browser) to download the root certificate to the configuration directory:

If configured like in this guide described, Shibboleth will automatically download metadata and CRL files. These files are by default stored in the directory /var/cache/shibboleth/C:\opt\shibboleth-sp\var\cache\shibboleth/. This differs from previous installations where the metadata file used to be in the configuration directory /etc/shibboleth/.

Configuration Test

After the configuration a quick test shows whether the Service Provider was installed properly.

Shibboleth Configuration Check

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:

sudo shibd -t

C:\opt\shibboleth-sp\sbin\shibd.exe -check

If the last line of the output is the following message, everything is as expected:

This message demonstrates that the Shibboleth module is loaded by the webserver and is communicating with the shibd process.

Register Service Provider

To integrate the Service Provider into the federation, it needs to be registered with the Resource Registry, so that its metadata is added to the officially distributed federation metadata. This step is a prerequisite for successfully communicating with the identity providers in the federation.

To register the Service Provider you need to create a new Resource Description by:

Log in using an account of the SWITCHaai federation (even if you want to register a resource for the AAI Test federation).
In case you don't have an AAI account yet and if you represent an existing Federation Partner (or its contractor), please ask aai@switch.ch for a Virtual Home Organization (VHO) account. If your company is not yet a SWITCHaai Federation Partner, please have a look at the page for new Federation Partners, if appropriate. Technical contacts of Federation Partners can request VHO accounts like described above.

In order to create a new Resource Description, click on the Run Shibboleth 2.x wizard and provide the URL https://yourhost.example.org/Shibboleth.sso/Metadata as metadata handler URL.
If the wizard complains that it cannot download the metadata this may be because the host is not reachable from the Internet. In this case, open the above link in the web browser and copy & paste the XML metadata into the text area of the Resource Registry.

Complete the remaining forms that are marked incomplete. Some forms are optional but it still is recommended to complete them.

If all sections are completed and their status is either ok or optional, click on the button Submit for Approval.
It is recommended to provide a short comment for what purpose this Resource Description was created.
A Resource Registration Authority (RRA) administrator of your organization or from SWITCH then will approve the new Resource Description after examination. Only after the Resource Description has been approved it becomes active and only after this step it will be included in federation metadata. After approval it may take up to two hours until the Service Provider can be used because all Identity Provider first have to refresh the federation metadata.

Login Test

After the Resource Description in the Resource Registry was approved by an RRA administrator, you have to wait two hours before you can continue (to allow the Identity Providers to download the latest metadata). You can then test whether the Service Provider is correctly deployed by accessing the Session Initiator Handler URL.

On the Discovery Service/WAYF choose your HomeOrganization to authenticate.
You should be redirected to the login page of your HomeOrganization.

Authenticate at your HomeOrganization to access the Session Handler.

What you should see there is the session information containing the used Identity Provider, authentication instant and at the bottom the available attributes. The number of attributes is depending on which attributes were declared as required and desired during the registration at the Resource Registry. An example screenshot of the session handler is given below.

Access Control

Now you should be able to use Shibboleth to perform access control and to use SAML attributes in your web applications as is described in the following.

Configure your application

Some applications, e.g. Learning Management Systems, have options to enable Shibboleth, which means you might configure a data mapping between the AAI attributes and your application. For other applications one may need/want to implement access control based on attributes on his own. In this case, ensure that these directories, or individual pages where the attributes should be available, are processed by the Shibboleth SP. This can be achieved with:Apache:
Adding the following directives to the Apache configuration:

If you don't want to allow just any AAI user, you might want to configure some Shibboleth Access Control Rules. Otherwise your application is NOT protected.

Subscribe to the AAI mailing lists

Important general announcements concerning the SWITCHaai federation are announced in the SWITCH edu-ID Newsletter.
Technical information like security advisories and short-term recommendations are published on the AAI-Operations mailing list.
It is recommended that the administrators of the Service Provider subscribe to both lists.

Troubleshooting

If the access via Shibboleth did not work as expected, find below some instructions on how to debug problems.

Debugging Instructions

In case of problems, it is best to try these steps.

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:

sudo shibd -t

C:\opt\shibboleth-sp\sbin\shibd.exe -check

If the last line of the output is the following message, everything is as expected:

If there are any ERROR messages, it is strongly recommended to have a look at the problem. Messages with log level WARN are generally not problematic but it also is recommended to examine the problem.

Examine the Shibboleth Service Provider daemon log file. By default it can be found at: /var/log/shibbolethC:\opt\shibboleth-sp\var\log\shibboleth\.
The exact location of the log files is defined in the shibd.logger configuration file.
Open the log file with lesswith a text editor like Notes, scroll down to the end of the log file and locate messages with the log level ERROR or WARN.

Sometimes it helps to temporarily increase the log level (log4j.rootCategory) in shibd.logger to DEBUG. This results in a much more verbose output after a restart of the Service Provider.
Don't forget to reset the log level back to WARN or INFO once the issue has been resolved. Otherwise Shibboleth might remove older messages from the log files to keep the log files at a fixed maximum size.

Common Problems

Find below a list of common problems and possible solutions:

Identity Provider complains No return endpoint available for relying party after authentication

This means that the Identity Provider has no metadata for your Service Provider yet, either because you have not registered the Service Provider yet with the Resource Registry, because the Resource Description has not been yet approved or because the Identity Provider has not yet downloaded the metadata file containing the Service Provider description.

Service Provider complains Unable to resolve any key decryption keys after authentication

This means that the Service Provider uses a different pair of X.509 certificate/key than was used to register the Service Provider with the Resource Registry. Please compare the certificate used by the Service Provider with the certificate that you used to create the Resource Description. Most likely, they are not the same.

The Service Provider complains Can't connect to listener process

This means that the mod_shib module cannot communicate with the shibd process. Either because shibd is not running (check that the process is running) or because they use different configuration files (e.g. in /etc/shibboleth/shibboleth2.xml and /etc/shibboleth/shibboleth2.xml)

No attributes are available at the Service Provider after authentication

Access the session handler of the Service Provider after authentication at: https://yourhost.example.org/Shibboleth.sso/Session
If there are no attributes listed there, the most likely reason is that the Identity Provider did not release any attributes because it does not belong to the intended audience. Check the Resource Description in the Resource Registry and make sure that the Identity Provider you used to authenticate belongs to the intended audience.

Advanced Configuration

Error Pages Customization

All error pages and messages shown by Shibboleth can be customized. The default template files *.html can all be found in the configuration directory /etc/shibboleth. The most important templates are: accessError.html, attrChecker, localLogout and sessionError. In these templates one can use various parameters that are made available by the Service Provider. Have a look at the Shibboleth Template documentation.